npm - network-ai - Versions diffs - 5.8.3 → 5.8.4 - Mend

network-ai 5.8.3 → 5.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/INTEGRATION_GUIDE.md CHANGED Viewed

@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:
 ---
-*Network-AI v5.8.3 · MIT License · https://github.com/Jovancoding/Network-AI*
+*Network-AI v5.8.4 · MIT License · https://github.com/Jovancoding/Network-AI*

package/README.md CHANGED Viewed

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v5.8.3-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v5.8.4-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-3136%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)

package/SKILL.md CHANGED Viewed

@@ -6,7 +6,7 @@ metadata:
     emoji: "\U0001F41D"
     homepage: https://network-ai.org
     capabilities:
-      filesystem: "read/write — project root `swarm-blackboard.md` (blackboard state), `data/pending_changes/<id>.json` (WAL entries), `data/audit_log.jsonl`, `data/active_grants.json`, `data/.signing_key`, `data/project-context.json`, `data/task_tracking.json`, `data/agent_health.json`, `data/budget_tracking.json`. All paths are local; nothing is transmitted over the network. When NETWORK_AI_ENV is set, data paths are rooted at `data/<env>/` instead of `data/`."
+      filesystem: "read/write — project root `swarm-blackboard.md` (blackboard state), `data/pending_changes/<id>.json` (WAL entries), `data/audit_log.jsonl`, `data/active_grants.json`, `data/.signing_key`, `data/project-context.json`, `data/task_tracking.json`, `data/agent_health.json`, `data/budget_tracking.json`. All paths are local; nothing is transmitted over the network. When NETWORK_AI_ENV is set, data paths are rooted at `data/<env>/` instead of `data/`. The `--path` argument in blackboard.py is validated against the project root at runtime — paths outside the project directory are rejected (CWE-22)."
       env_vars: "read — NETWORK_AI_ENV (environment routing), NETWORK_AI_MCP_SECRET (MCP bearer auth), NETWORK_AI_MINIMAL (minimal-mode flag). No env vars are written."
       shell_exec: "optional — AgentRuntime (lib/agent-runtime.ts) with SandboxPolicy and ApprovalGate; disabled by default. Never auto-enabled by this skill. auto_approve must NOT be set in production (see auto_approve_warning below)."
       tcp_port: "optional — MCP SSE server (bin/mcp-server.ts) binds 127.0.0.1 only when explicitly started by the operator. Requires a non-empty bearer-token secret. Never auto-started by this skill or any bundled Python script."
@@ -754,7 +754,7 @@ The following findings are drawn from the **MAESTRO Agent Security Threat** fram
 | Control | How Network-AI addresses it |
 |---|---|
-| **Exact version pinning** | npm `package.json` uses exact `"version": "5.8.3"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
+| **Exact version pinning** | npm `package.json` uses exact `"version": "5.8.4"` — no semver range specifiers; `clawhub install network-ai` pins to a specific published version |
 | **Zero transitive dependency drift** | All bundled Python scripts use Python stdlib only — `pip install` is never required; there are no third-party packages to drift, be compromised upstream, or introduce CVEs |
 | **Signed, tagged releases** | Every release is committed with a signed Git tag (`v5.7.x`); commit hash is verifiable against CHANGELOG.md; GitHub releases link tag → diff → changelog entry |
 | **Supply chain monitoring** | npm package continuously scored by Socket.dev (score A); any new dependency or permission change triggers an alert |

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "5.8.3",
+  "version": "5.8.4",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

package/scripts/blackboard.py CHANGED Viewed

@@ -3,6 +3,8 @@
 # All I/O is local file operations only:
 #   READS:  swarm-blackboard.md, data/pending_changes/<id>.json
 #   WRITES: swarm-blackboard.md, data/pending_changes/<id>.json
+# --path is accepted for environment routing but is validated against the project
+# root directory; paths outside the project directory are rejected (CWE-22).
 # Imports used: argparse, json, os, re, sys, time, hashlib, datetime, pathlib,
 #               typing, contextlib, fcntl (Unix file-lock only, no network use)
 # No imports of: requests, socket, subprocess, urllib, http, ssl, ftplib, smtplib
@@ -677,7 +679,7 @@ Examples:
         "--path",
         type=Path,
         default=BLACKBOARD_PATH,
-        help="Path to blackboard file"
+        help="Path to blackboard file (must be inside the project directory)",
     )
     parser.add_argument(
         "--env",
@@ -690,6 +692,20 @@ Examples:
     if args.env:
         _data = _resolve_data_dir(args.env)
         args.path = _data / "swarm-blackboard.md"
+    # Validate --path against the project root to prevent path traversal (CWE-22).
+    # Resolving symlinks before comparison ensures traversal via symlinks is also blocked.
+    _project_root = Path(__file__).parent.parent.resolve()
+    try:
+        args.path.resolve().relative_to(_project_root)
+    except ValueError:
+        print(
+            f"Error: --path must be inside the project directory ({_project_root}). "
+            f"Got: {args.path.resolve()}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
     bb = SharedBlackboard(args.path)
     try: